Can I Use ChatGPT Without Restrictions in My Company?
The release of ChatGPT in November 2022 sparked a global hype. At the same time, it ignited and advanced the debate surrounding the handling and regulation of Artificial Intelligence (AI). AI tools like ChatGPT are not only present in the media and among regulatory bodies but are also increasingly used in professional everyday life.
This article provides an overview of selected legal aspects arising from the use of ChatGPT in the workplace. It is addressed to those who use the text generator ChatGPT and utilize its results. Before delving into the relevant legal aspects of copyright and data protection, a brief description of how ChatGPT works will be provided. Based on this explanation, the article will then describe the areas in which ChatGPT can be applied within a company. Finally, before concluding, some tips for the (legally) safe use of ChatGPT will be given.
- 17. October. 2024
Philipp Nöhrer
AI Legal & Compliance Experte
How ChatGPT Works
The Chatbot ChatGPT[1] was developed by the American company OpenAI. ChatGPT is an extensive language model that generates human-like texts and simulates conversations using AI and machine learning. It relies on a vast knowledge database that goes back to September 2021.
Based on the user’s input (referred to as a “prompt”), ChatGPT generates a result in natural language. Regarding how ChatGPT transforms the prompt into an outcome, it responds as follows:[2]
- ChatGPT generates results based on the input prompt using a neural network trained on a large corpus of text. When a user enters a prompt, the model analyzes the text to understand the context. It captures both the immediate input and the connections it has learned from its training dataset. It then uses this understanding to make predictions about which words and phrases would best fit the given prompt. The model then produces a response by generating words and phrases that are logically and semantically appropriate to the context, ensuring that coherent and meaningful texts are created.
[1] GPT stands for Generative Pre-Trained Transformer.
[2] The response was generated by the prompt “Please write me a paragraph about how ChatGPT works, explaining to the reader how ChatGPT generates the result based on the input prompt.” on September 15, 2023, by the GPT-3.5 model.
Copyright Aspects
Can AI-generated Results Lead to Copyright Violations?
A legally relevant question is whether the text generated by AI can lead to a copyright infringement. It is important to know that ChatGPT does not directly take longer text elements. The logic of ChatGPT is based on a mixture of stored content and experiences regarding which content typically follows which questions (“predictions”). This means that the likelihood of ChatGPT using works from its training data verbatim is low. Therefore, a copyright infringement is usually not present, as literal strings are not used, nor do they reach a threshold of originality. Thus, third-party works are not reproduced. However, a violation of third-party copyrights or the creation of plagiarized content cannot be entirely excluded. Users generally do not know what source material ChatGPT has used and where it originated.Do I Obtain Copyright Protection for the Results of ChatGPT?
The prerequisite for a copyright-protected work is an original intellectual creation, for example in the field of literature, based on a human action. Due to its functioning, copyright rights usually do not arise for the results generated by ChatGPT. This is because, in the case of short texts, there is often a lack of originality or, alternatively, a human author. As ruled by the Austrian Supreme Court (OGH): “Only a product of human intellect can be protected by copyright […] If a machine serves a human in a copyright creation process not just as a tool but works are created without the intervention of a creative human, for example solely by a computer, […] there is […] no copyright-protectable work” (OGH 20.09.2011, 4 Ob 105/11m). Ultimately, ChatGPT is a tool—similar to how Microsoft is not the author of works written with Word. Only in exceptional cases does an original intellectual creation seem conceivable, such as in a longer conversation between the user and the AI. It is crucial whether the chats exceed the level of trivial representations of events and, through the form design of the prompt, the selection of source material, and the development of results, have become personal, characteristic intellectual creations of the user. If the authorship of the user is affirmed, they receive copyright protection for the entire content of the chat history. Note: The previously used prompt is a simple, generic prompt. It is unlikely to exceed the required threshold of “original intellectual creation” in terms of copyright law.Data Protection Aspects
What Role Do I Assume in Data Processing When Using ChatGPT?
The assignment of the role is decisive for the type of use. OpenAI distinguishes between two types of content: 1.    „Non-API-Content“ is primarily used by end customers via the web browser. Here, OpenAI is the data protection officer, and the use occurs in accordance with OpenAI’s Privacy Policy. („Privacy Policy“[1]). 2.    „API-Content“is offered to companies via an API platform so they can integrate ChatGPT into their own services. If a company integrates GPT technology through the OpenAI API into its product, the company becomes the data controller, and OpenAI acts as the data processor.Does OpenAI Use the Input Prompts for Training Purposes?
Yes. If ChatGPT is used as a “Non-API Service” by the end customer, according to the („Terms of Use“[2]) the content may be used for the development and improvement of ChatGPT (Section 3 lit c of Terms of Use).This means OpenAI is entitled to use the prompts provided by users to train their models and improve their services (Section 2 at the end of the Privacy Policy). The good news is that users have the option to opt-out of this use. The opt-out can be done by filling out a web form.[3] In contrast, ChatGPT in the API content version does not use content for training or improvement purposes of the service.What Should Be Considered from a Data Protection Perspective When Using the OpenAI API Service?
If a company uses the OpenAI API, it is responsible as the data controller for the legality of data processing. This means the company needs a legal basis under Article 6 (1) GDPR when processing personal data. At the same time, a contractual relationship arises between the employing company as the data controller and OpenAI as the data processor. In this case, OpenAI provides its own Data Processing Agreement (DPA), which must be concluded separately.[4] With regard to the DPA, OpenAI does not accept third-party or revised versions, so the version from OpenAI must be adopted.Where Does OpenAI Store the Data?
According to its own statements, OpenAI processes and stores data in the USA. This results in a data transfer to a third country, for which an appropriate data protection legal basis according to Articles 44 ff. GDPR is required. With the entry into force of the EU-US Data Privacy Framework in July 2023, there is once again an adequacy decision for data transfers between the EU and the USA. If organizations are certified under the framework, the adequacy decision can serve as a basis for data transfer. At the time of this article’s creation (September 26, 2023), OpenAI has no certification. [5] o compensate for this deficiency, OpenAI has integrated standard contractual clauses in its DPA.What Other Data Protection Aspects Should Be Considered When Using ChatGPT?
If a company wants to use ChatGPT to process personal data, this can pose high risks for the affected individuals. Therefore, it may be necessary (and advisable) to conduct a Data Protection Impact Assessment (DPIA). Furthermore, the company must inform about the data processing by ChatGPT. This is usually done through a Privacy Policy. It must inform users how and for what purposes their data are processed by the company or OpenAI, how long they are stored, and how the rights of the affected individuals can be exercised. [1] OpenAI’s Privacy Policy is available at https://openai.com/policies/privacy-policy (as of September 26, 2023). [2] OpenAI’s Terms of Use are available at https://openai.com/policies/terms-of-use (as of September 18, 2023). [3] The web form “User Content Opt-Out Request” is available at https://docs.google.com/forms/d/e/1FAIpQLScrnC-_A7JFs4LbIuzevQ_78hVERlNqqCPCt3d8XqnKOfdRdQ/viewform?pli=1 (as of September 18, 2023). [4] The conclusion of the Data Processing Agreement can be requested at https://openai.com/policies/data-processing-addendum (Stand as of September 18, 2023). [5] Verification can be done by searching for “OpenAI” in the Data Privacy Framework List at https://www.dataprivacyframework.gov/s/participant-search.Applications of ChatGPT
In which areas can ChatGPT be used?
Â
Principally, ChatGPT can be used in all areas where text is generated, processed, or searched for content. However, depending on the application area, there are also risks associated with its use.
Below is a risk assessment of areas where ChatGPT can generally be used but may not always be advisable:
Area of Application | Description | Risk |
---|---|---|
Marketing and Content-Creation | ChatGPT can be used for newsletters or social media content. Accuracy checks are necessary. For copyright reasons, results should serve as inspiration; direct adoption prevents authorship, as claims to copyright cannot be made against third parties. | low |
Translations | ChatGPT can also be used for translations of publicly available texts (e.g., on websites or blog posts). | low |
Software-Development | When using ChatGPT for software development, pay attention to prompts. Erroneous source codes can jeopardize trade secrets. Increased caution is needed to prevent leaks (e.g., through output seen by other users). | mid |
Data analysis and management | Unclear data processing with ChatGPT. Therefore, do not input internal/sensitive company data, especially for analysis purposes. Anonymization helps, but there are still potential data protection risks due to errors or lack of legal basis. | high |
Tips
Tips for the (legally) secure use of ChatGPT
Finally, we present valuable tips and strategies to help use ChatGPT safely and protect against potential risks:
- Adoption of an AI Use Policy for employees, which includes clear rules for the use of AI systems (e.g., permitted purposes, requirements for prompts, use of results, system settings, etc.).
- Conduct training and awareness-raising measures for employees.
- Verify the accuracy of AI-generated results before they are used.
- For copyright reasons, it is advisable to use the results of the AI system only as a foundation and inspiration.
- Review whether internal processes or documents need to be adjusted. This could include the privacy policy, the record of processing activities, service contracts, etc.
Summary and Outlook
The use of ChatGPT in businesses comes with numerous legal risks, with data protection being one of the biggest challenges. For instance, in April 2023, the Italian data protection authority blocked access to ChatGPT. Similarly, in the EU, AI systems have come under scrutiny from national data protection authorities, raising concerns among companies and users alike. At the same time, current regulatory approaches at the EU level are advancing, including the AI Act and the AI Liability Regulation.
However, companies can still use AI text generators like ChatGPT effectively if they know how to do so responsibly. For example, if no personal data or trade secrets are entered into ChatGPT, businesses do not violate the GDPR or confidentiality agreements. Therefore, it is advisable for companies to establish guidelines for the use of AI systems, clearly outlining permissible applications and protocols for handling personal data and trade secrets. Furthermore, companies should carefully assess the technical and organizational measures that the AI system offers and take appropriate actions (e.g., opting out of training purposes).
If you want to learn more about how Leftshift One makes internal corporate knowledge accessible with MyGPT, visit us here.